Graph

Embedding Hiding Patterns

Modulation of Temporal Behavior:

ET1. Event/Element Interval Modulation
ET1.1. Rate/Throughput Modulation
ET2. Event Occurence

Modulation of Non-temporal Behavior:

EN1. Artificial Element-Loss
EN2. Elements/Features Positioning
EN3. Elements/Features Enumeration
EN4. State/Value Modulation
EN4.1. Reserved/Unused State/Value Modulation
EN4.2. Random State/Value Modulation
EN4.3. Blind State/Value Modulation
EN5. Feature Structure Modulation
EN5.1. Size Feature Modulation
EN5.2. Character Feature Modulation

Representation Hiding Patterns (Domain Specific) Example: Network Steganography

Recognition of Temporal Behavior:

RT1n. Event/Element Interval Modulation (derived from ET1)
RT1.1n. Rate/Throughput Modulation (derived from ET1.1)
RT2n. Event Occurence (derived from ET2)
RT2.1n. Frame Corruption (derived from RT2n)

Recognition of Non-temporal Behavior:

RN1n. Artificial Element-Loss (derived from EN1)
RN1.1n. Artificial (Forced) Reconnections Modulation (derived from RN1n)
RN2n. Elements/Features Positioning (derived from EN2)
RN3n. Elements/Features Enumeration (derived from EN3)
RN3.1n. Artificial Retransmissions Modulation (derived from RN3n)
RN4n. State/Value Modulation (derived from EN4)
RN4.1n. Reserved/Unused State/Value Modulation (derived from EN4.1)
RN4.2n. Random State/Value Modulation (derived from EN4.2)
RN4.3n. Blind State/Value Modulation (derived from EN4.3)
RN5n. Feature Structure Modulation (derived from EN5)
RN5.1n. Size Feature Modulation (derived from EN5.1)
RN5.2n. Character Feature Modulation (derived from EN5.2)

ET1. Event/Element Interval Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Inter-packet Times pattern from Wendzel et al., 2015.
Illustration The covert message is embedded by modulating the gaps between succeeding events/elements.
Context Embedding Hiding Patterns -> Modulation of Temporal Behavior
Evidence 1) modulating the inter-packet gap between succeeding network packets (elements) or between connection establishments (events); 2) modulating the time-gap between succeeding cyber-physical actions, such as acoustic beeps.
Implementation  

Pattern Collection

ET1.1. Rate/Throughput Modulation

Initial publication Wendzel et al., 2015; however, meaning of the pattern was generalized in Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns to render it independent from the networking context
Illustration The covert message is embedded by alternating the rate of events/elements (by introducing delays or by decreasing delays). Here, several inter-event/element intervals have to be modified in a row to embed a secret message, i.e., the message is not embedded into particular inter-event/element timings but in the overall rate/throughput.
Context Embedding Hiding Patterns -> Modulation of Temporal Behavior
Evidence 1) modulating the packet rate while sending traffic to some destination (by decreasing/increasing delays between send() actions); 2) modulating the number of produced items per hour in a production facility.
Implementation  

Pattern Collection

ET2. Event Occurence

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Message Sequence Timing pattern from Mazurczyk et al., 2016.
Illustration The covert message is encoded in the temporal location of events (in comparison to ET1.1, the rate of events is not directly modulated but events are triggered at specific moments in time, moreover, ET2 can be a single event while ET1.1 needs a sequence of elements).
Context Embedding Hiding Patterns -> Modulation of Temporal Behavior
Evidence 1) sending a specific packet at 6pm; 2) influencing the time at which a drone starts its journey to some destination (or its arrival time).
Implementation  

References:
Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, and Krzysztof Szczypiorski: Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications, IEEE Series on Information and Communication Networks Security, Wiley, 2016.

Pattern Collection

EN1. Artificial Element-Loss

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Artificial Loss pattern from Wendzel et al., 2015.
Illustration The covert message is embedded by modulating the artificial loss of elements.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) dropping TCP segments with an even sequence number; 2) removing commas in sentences Bender1996.
Implementation  

References:
Walter Bender, Daniel Gruhl, Norishige Morimoto, and Anthony Lu: Techniques for data hiding, IBM Systems Journal, 35 (Nos 3&4), IBM, pages 313–336, 1996.

Pattern Collection

EN2. Elements/Features Positioning

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns
Illustration The covert message is embedded by modulating the position of a predefined (set of) element(s)/feature(s) in a sequence of elements/features.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) position of an IPv4 option in the list of options; 2) placing a drink on a table to signal a Go player to play more defensive; 3) placing a specific character in a paragraph.
Implementation  

Pattern Collection

EN3. Elements/Features Enumeration

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns
Illustration The covert message is embedded by altering the overall number of appearances of elements/features in a sequence.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) fragmenting a network packet into either n or m (n ≠ m) fragments; 2) modulating the number of people wearing a t-shirt in a specific color in an image file; 3) repeating an element/feature by duplicating a white space character (or not) in a text Bender1996.
Implementation  

References:
Walter Bender, Daniel Gruhl, Norishige Morimoto, and Anthony Lu: Techniques for data hiding, IBM Systems Journal, 35 (Nos 3&4), IBM, pages 313–336, 1996.

(Wendzel et al., 2016)

Pattern Collection

EN4. State/Value Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Value Modulation pattern from Wendzel et al., 2015.
Illustration The covert message is embedded by modulating the states or values of features.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) performing intense computation to influence some temperature/clock-skew NIHbook; 2) modulating other physical states, such as proximity, visibility, force, height, acceleration, speed, etc. of certain devices; 3) changing values of the network packet header fields (e.g., target IP address of ARP Ji2010, Hop Count value in IPv6 Lucena2005 or the LSB in the IPv4 TTL); 4) modulate the x-y-z coordinates of a player in a 3D multiplayer online game Zander2008.
Implementation  

References:
Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, and Krzysztof Szczypiorski: Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications, IEEE Series on Information and Communication Networks Security, Wiley, 2016.

Liping Ji, Yu Fan, and Chuan Ma: Covert channel for local area network, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, pages 316-319, 2010.

Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin: Covert channels in IPv6, International Workshop on Privacy Enhancing Technologies, Springer, pages 147-166. 2005.

Sebastian Zander, Grenville Armitage, and Philip Branch: Covert channels in multiplayer first person shooter online games, 2008 33rd IEEE Conference on Local Computer Networks (LCN), IEEE, pages 215-222, 2008.

Pattern Collection

EN4.1. Reserved/Unused State/Value Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Reserved/Unused pattern from Wendzel et al., 2015.
Illustration The covert message is embedded by modulating reserved/unused states/values.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) overwriting the IPv4 reserved field HandelSandford96; 2) modulation of unused registers in embedded CPS equipment IoTStego17.
Implementation  

References:
Theodore G. Handel, and Maxwell T. Sandford II.: Hiding data in the OSI network model, Proceedings of the 1st International Workshop on Information Hiding, pages 23-38, 1996.

Steffen Wendzel, Wojciech Mazurczyk and Georg Haas: Don’t You Touch My Nuts: Information Hiding in Cyber Physical Systems, 2017 IEEE Security and Privacy Workshops (SPW), IEEE, pages 29-34, 2017.

Pattern Collection

EN4.2. Random State/Value Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Random (Value) Modulation pattern from Wendzel et al., 2015.
Illustration A (pseudo-)random value or (pseudo-)random state is replaced with a secret message (that is also following a pseudo-random appearance)
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) replacing the pseudo-random content of a network header field with encrypted covert content; 2) encoding a secret message in the randomized selection of a starting player in an online chess game.
Implementation  

Pattern Collection

EN4.3. Blind State/Value Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns
Illustration Blind corruption of data.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) blindly overwriting a checksum of a PDU to corrupt a packet (or not) to embed hidden information; 2) blindly overwriting content of a file in a filesystem, neglecting its file header; 3) blindly overwriting a TCP payload.
Implementation  

Pattern Collection

EN5. Feature Structure Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns
Illustration This hiding pattern comprises all hiding techniques that modulate the structural properties of a feature (but not states/values (EN4), positions (EN2) or number of appearances (EN3)).
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) increasing/decreasing the size of succeeding network packets; 2) changing the color/style of characters in texts.
Implementation  

Pattern Collection

EN5.1. Size Feature Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Size Modulation pattern from Wendzel et al., 2015.
Illustration The covert message is embedded by modulating the size of an element.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) create additional (unused) space in network packets for embedding hidden data, such as adding an ``unused’’ IPv6 destination option IPv6DestOptCC; 2) alternate the size of PNG files.
Implementation  

References:
Thomas Graf: Messaging over IPv6 Destination Options, Swiss Unix User Group, 2003.

Pattern Collection

EN5.2. Character Feature Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns
Illustration Modulation of different features in characters, such as color, size (scale), font, position or size of different parts in some letters. Relations: Utilizes partially the same methods as EN4. State/Value Modulation (e.g., a HTTP header field’s character is also a value). Thus, both are linked in the Taxonomy.
Context Embedding Hiding Patterns -> Modulation of Non-temporal Behavior
Evidence 1) using upper/lower case letters in HTTP or SMTP requests Dyatlov2003; 2) modulating the color of characters in text steganography.
Implementation  

References:
Alex Dyatlov, and Simon Castro: Exploitation of Data Streams Authorized by a Network Access Control System for Arbitrary Data Transfers: Tunneling and Covert Channels over the HTTP Protocol, Gray-world, 2003.

Pattern Collection

Representation Patterns for Network Steganography

RT1n. Event/Element Interval Modulation

(derived from ET1)

Pattern Collection

RT1.1n. Rate/Throughput Modulation

(derived from ET1.1)

Pattern Collection

RT2n. Event Occurence

(derived from ET2)

Pattern Collection

RT2.1n. Frame Corruption

(derived from RT2n)

Pattern Collection

RN1n. Artificial Element-Loss

(derived from EN1)

Pattern Collection

RN1.1n. Artificial (Forced) Reconnections Modulation

(derived from RN1n)

  • Original description (ih-patterns)
  • Introduced by A. Mileva, A. Velinov, L. Hartmann et al.: Comprehensive Analysis of MQTT 5.0 Susceptibility to Network Covert Channels, Computers & Security, Elsevier, 2021.
  • Short Illustration: The Artificial Reconnections Pattern employs artificial (forced) reconnections to transfer secret messages. The covert sender influences connections of third-party nodes in a way that their connections to either a central element (e.g., an MQTT broker or a server) or a peer (in a peer-to-peer network) are terminated and then established again (i.e., a reconnect is performed). The covert receiver must be capable of monitoring these reconnects, e.g., either by compromising the central/peer element or in a passive network observer situation, like a MitM location. Encoding works by assigning secret values to third-party, so that a reconnect of a particular node represents the transfer of the secret symbol assigned to that node. Another scenario for this pattern can also be a chatroom or a gaming server with a large number of clients that reconnect automatically after being disconnected.

Pattern Collection

RN2n. Elements/Features Positioning

(derived from EN2)

Pattern Collection

RN3n. Elements/Features Enumeration

(derived from EN3)

Pattern Collection

RN3.1n. Artificial Retransmissions Modulation

(derived from RN3n)

Pattern Collection

RN4n. State/Value Modulation

(derived from EN4)

Pattern Collection

RN4.1n. Reserved/Unused State/Value Modulation

(derived from EN4.1)

Pattern Collection

RN4.2n. Random State/Value Modulation

(derived from EN4.2)

Pattern Collection

RN4.3n. Blind State/Value Modulation

(derived from EN4.3)

Pattern Collection

RN5n. Feature Structure Modulation

(derived from EN5)

Pattern Collection

N5.1n. Size Feature Modulation

(derived from EN5.1)

Pattern Collection

RRN5.2n. Character Feature Modulation

(derived from EN5.2)

Pattern Collection


Bibliography:

Steffen Wendzel, Sebastian Zander, Bernhard Fechner, and Christian Herdin: Pattern-based Survey and Categorization of Network Covert Channels, ACM Comp. Surv., 2015.

Walter Bender, Daniel Gruhl, Norishige Morimoto, and Anthony Lu: Techniques for data hiding, IBM Systems Journal, 35 (Nos 3&4), IBM, pages 313–336, 1966.

Liping Ji, Yu Fan, and Chuan Ma: Covert channel for local area network, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, pages 316-319, 2010.

Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin: Covert channels in IPv6 International Workshop on Privacy Enhancing Technologies, Springer, pages 147-166. 2005.

Sebastian Zander, Grenville Armitage, and Philip Branch: Covert channels in multiplayer first person shooter online games, 2008 33rd IEEE Conference on Local Computer Networks (LCN), IEEE, pages 215-222, 2008.

Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, and Krzysztof Szczypiorski: Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications, IEEE Series on Information and Communication Networks Security, Wiley, 2016.

Theodore G. Handel, and Maxwell T. Sandford II.: Hiding data in the OSI network model, Proceedings of the 1st International Workshop on Information Hiding, pages 23-38, 1996.

Steffen Wendzel, Wojciech Mazurczyk and Georg Haas: Don’t You Touch My Nuts: Information Hiding in Cyber Physical Systems, 2017 IEEE Security and Privacy Workshops (SPW), IEEE, pages 29-34, 2017.

Thomas Graf: Messaging over IPv6 Destination Options, Swiss Unix User Group, 2003.

Alex Dyatlov, and Simon Castro: Exploitation of Data Streams Authorized by a Network Access Control System for Arbitrary Data Transfers: Tunneling and Covert Channels over the HTTP Protocol, Gray-world, 2003.